CaptchaLa Blog

Appearance

Ciphera: A Decentralised Biometric Identity Framework

Source: arXiv:2605.29868 · Published 2026-05-28 · By Ankit Kanaiyalal Prajapati, Shahzad Memon, Mohammed Mahir Rahman, Ameer Al-Nemrat

TL;DR

This paper addresses critical limitations of centralized biometric identity systems, such as single points of failure, opaque verification, and irreversible biometric compromise. It introduces Ciphera, a decentralized biometric identity framework that integrates privacy-preserving facial recognition, multi-node distributed verification, IPFS for storing credential metadata, and blockchain-anchored revocation to improve confidentiality, integrity, and availability. The system leverages zero-knowledge proofs to verify biometric authentication claims without exposing raw biometric data and separates responsibilities across user device, orchestration gateway, decentralized verifier nodes, and decentralized trust layers.

Ciphera was implemented as a prototype and evaluated under controlled conditions using synthetic biometric data. It achieved an overall 81% functional success rate, with stable enrollment and authentication workflows, sub-second 95th percentile verification latency (~820ms) under concurrent multi-node load, and strong confidentiality/integrity guarantees. However, the evaluation revealed challenges including revocation propagation delays across verifier nodes, audit-log inconsistencies due to concurrency effects, and vulnerability to deepfake and replay attacks stemming from incomplete liveness detection. These results demonstrate the practical feasibility of decentralized biometric identity coupled with multi-node verification and blockchain-backed revocation, while identifying key engineering constraints for production deployment.

Key findings

  • Ciphera achieved an overall functional success rate of 81% across enrollment (100%), authentication (83%), revocation (80%), audit-log integrity (75%), and session management (70%) tests.
  • Performance tests showed a p95 verification latency of approximately 820ms under concurrent multi-node verification conditions, with CPU usage below 50%.
  • Revocation propagation delays between verifier nodes caused temporary inconsistencies allowing outdated credential acceptance during asynchronous state updates.
  • Hash-chained audit logs maintained tamper evidence but exhibited ordering inconsistencies during rapid revocation sequences primarily due to race conditions and non-deterministic event ordering.
  • Security analysis confirmed strong confidentiality and integrity via AES-256 encryption of biometric embeddings, SHA-256 hashing, blockchain-anchored revocation, and JWT validation.
  • Incomplete liveness detection leaves vulnerability to deepfake and replay attacks, representing the system's most significant security gap.
  • Decentralized verification architecture with client-side biometric embedding generation and zero-knowledge proof enables authentication without exposing raw biometric data beyond device.
  • Compatibility testing confirmed functional biometric embedding generation and verification workflows across major browsers: Chrome, Firefox, Opera, and Safari.

Threat model

Adversaries are capable of attempting spoofing attacks via biometric replay or deepfake, tampering with biometric templates, denying service through flooding attacks, repudiating performed actions, or elevating privileges by hijacking tokens. Attackers cannot compromise trusted device environments where biometric capture, embedding generation, and zero-knowledge proof creation occur, nor can they access private cryptographic keys controlling decentralized credentials. The threat model excludes adversaries controlling majority blockchain consensus nodes or launching complex network attacks on inter-node communication.

Methodology — deep read

  1. Threat Model & Assumptions: Ciphera considers adversaries seeking to spoof biometric authentication, tamper with identity credentials, deny services, or elevate privileges. The system assumes attackers do not have control over the user's trusted device environment nor the private keys used in decentralized identity credentials. The threat model handles classic STRIDE categories and mitigates via encryption, hash-chained logs, distributed verification, and token validation. However, it does not fully address liveness attacks due to incomplete liveness detection.

  2. Data: Synthetic biometric facial samples were generated to avoid using real user biometrics, ensuring privacy and ethical compliance. These were converted into facial embeddings using a TensorFlow Lite pipeline deployed on user devices. Data was anonymized. Functional testing ran across 12 well-defined cases covering enrollment, authentication, revocation, audit log, and session management. Logs captured timestamps, request flows, response consistency, and node state.

  3. Architecture & Algorithm: Ciphera is layered into four domains: user-controlled device layer (biometric capture, embedding, liveness, zero-knowledge proof generation), orchestration layer (FastAPI gateway managing requests, multi-node distribution, response aggregation), decentralized verifier layer (independent nodes performing zero-knowledge proof validation, DID+VC credential validation via IPFS metadata, blockchain-based revocation checks), and decentralized trust layer (IPFS for content-addressable metadata storage, blockchain ledger for immutable revocation records).

Authentication workflow starts at the client device capturing facial data, generating encrypted embeddings, performing local liveness checks, and constructing a zero-knowledge proof asserting possession of valid, non-revoked credential and successful biometric match. The gateway validates the request format and dispatches to multiple verifier nodes, each independently verifying the proof, credential metadata authenticity, and revocation status via blockchain queries. Responses are aggregated by consensus threshold to produce final access decisions.

  1. Training Regime: Not applicable as biometric embeddings are produced via an existing TensorFlow Lite model. Testing employed concurrency simulations using Locust. Functional tests were executed repeatedly for consistency evaluation. Hyperparameters related to network requests and caching were manually tuned. No mention of random seeds or hardware specifics beyond cloud-based multi-node setup.

  2. Evaluation Protocol: Functional testing covered 12 end-to-end test cases across enrollment, authentication, revocation, audit-log generation, and session management. Performance was evaluated under increasing simulated user concurrency measuring latency (p95), throughput, and CPU utilization on gateway and verifier nodes. Security testing involved STRIDE threat modeling, CIA triad analysis, and attempts at JWT tampering and unauthorized access. Compatibility testing across major browsers ensured client pipeline stability. Distributed consistency was assessed by evaluating revocation propagation latency and audit log coherency during rapid event injections.

  3. Reproducibility: The prototype was implemented with off-the-shelf components like TensorFlow Lite, FastAPI, IPFS, and blockchain anchors. Synthetic datasets and test scripts were used internally; code release or model freezes were not explicitly stated, nor were any closed datasets mentioned. The absence of real biometric data affects external reproducibility.

Technical innovations

  • Integration of privacy-preserving facial recognition with decentralized identity credentials using zero-knowledge proofs to confirm biometric match and credential validity without exposing raw biometric data.
  • Multi-node distributed verification architecture combining independent verifier nodes that each validate zero-knowledge proofs, fetch IPFS-based credential metadata, and check blockchain-anchored revocation to reduce centralized trust assumptions.
  • Use of IPFS as a content-addressable metadata store for decentralized credential information in combination with a blockchain ledger for immutable revocation anchoring.
  • Layered architectural separation isolating biometric data processing (client device), orchestration (gateway), verifier functions, and trust infrastructure to minimize attack surface and enable independently verifiable domains.

Datasets

  • Synthetic biometric facial samples — unspecified quantity — internally generated for testing and evaluation

Baselines vs proposed

  • Hyperledger Indy: Partial zero-knowledge support, no native biometric authentication; incurs medium centralized storage risk vs Ciphera: full biometric verification with low centralized risk
  • Microsoft ION: Supports scalable DID anchoring without biometric authentication or zero-knowledge proof, medium centralized risk vs Ciphera: integrated decentralized biometric authentication
  • Sovrin: Distributed trust network with partial zero-knowledge support but no biometric workflow vs Ciphera: multi-node biometric authentication with blockchain revocation
  • MOSIP: Semi-centralized biometric identity with central revocation authority and high centralized storage risk vs Ciphera: decentralized multi-node verification with blockchain-based revocation

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2605.29868.

Fig 2

Fig 2: illustrates

Fig 3

Fig 3: demonstrates the zero-knowledge verification

Fig 4

Fig 4: illustrates the device integrity verification process

Fig 5

Fig 5: demonstrates the privacy-preserving data ownership

Fig 6

Fig 6: User Biometric Registration Interface.

Fig 6

Fig 6 (page 6).

Fig 7

Fig 7 (page 7).

Limitations

  • Revocation propagation delays cause temporary acceptance of revoked credentials due to asynchronous cache invalidation across independent verifier nodes.
  • Audit-log hash-chain integrity compromised during rapid event sequences because of race conditions and non-deterministic ordering making tamper-evidence inconsistent under load.
  • Lack of a robust, fully integrated liveness detection module exposes the system to deepfake and replay attacks, undermining biometric authentication security.
  • Use of synthetic, rather than real-world biometric data limits evaluation generalizability, especially regarding biometric variability and adversarial conditions.
  • Prototype does not implement automated failover, inter-node TLS, or scaling considerations beyond small verifier node clusters.
  • Session management contained a timeout handling defect allowing sessions to remain active beyond configured limits, representing a security risk.

Open questions / follow-ons

  • How to design deterministic cache invalidation and event-driven synchronization to reduce revocation propagation latency and close temporary trust windows in a multi-node environment?
  • What stronger distributed log ordering and consensus protocols can improve audit-log consistency and tamper evidence under high concurrency and rapid event sequences?
  • How to integrate production-grade, robust liveness detection mechanisms that can reliably mitigate deepfake and replay attack vectors within decentralized biometric frameworks?
  • What are the scalability and resilience implications of deploying Ciphera-style decentralized verification architectures at Internet scale, including automated failover and inter-node TLS?

Why it matters for bot defense

For practitioners involved in bot defense and CAPTCHA design, Ciphera offers valuable insights into combining biometrics with decentralized identity verification without exposing raw biometric data, a critical privacy consideration. Its multi-node verification model with blockchain-anchored revocation illustrates how distributed trust architectures can mitigate single points of failure common in centralized biometrics, enhancing system robustness. However, the revealed vulnerabilities to deepfake and replay attacks underline that biometric-based bot defense systems must integrate strong liveness and anti-spoofing measures to be reliable, especially when combined with decentralized validation.

Furthermore, the practical challenges observed with revocation propagation latency and distributed audit-log consistency provide cautionary lessons for deploying biometric verification as part of multi-party trust models used in bot detection systems. Ensuring timely revocation and consistent event logging is crucial to prevent replay or fraud window attacks. Overall, while Ciphera demonstrates the feasibility of privacy-preserving decentralized biometric authentication, bot-defense engineers must address unresolved engineering challenges—especially robust liveness detection and synchronization—to realize production-grade protection leveraging similar decentralized identity technologies.

Cite

bibtex
@article{arxiv2605_29868,
  title={ Ciphera: A Decentralised Biometric Identity Framework },
  author={ Ankit Kanaiyalal Prajapati and Shahzad Memon and Mohammed Mahir Rahman and Ameer Al-Nemrat },
  journal={arXiv preprint arXiv:2605.29868},
  year={ 2026 },
  url={https://arxiv.org/abs/2605.29868}
}

Read the full paper

Last updated:

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa